pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #123598 from pschyska/master

nixos/nsd: make nsd-checkconf work when configuration contains keys (#118140)

Christoph Hrdinka 57acb6f9 76a7840f

options
unified split
Changed files
+28 -3
nixos
modules
services
networking
nsd.nix
tests
nsd.nix
+19 -3
nixos/modules/services/networking/nsd.nix 
···

       
20

       
 

       



     

       
21

       
 

       
  mkZoneFileName = name: if name == "." then "root" else name;


     

       
22

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
23

       
 

       
  nsdEnv = pkgs.buildEnv {


     

       
24

       
 

       
    name = "nsd-env";


     

       
25

       
 

       



     
···

       
34

       
 

       
        echo "|- checking zone '$out/zones/$zoneFile'"


     

       
35

       
 

       
        ${nsdPkg}/sbin/nsd-checkzone "$zoneFile" "$zoneFile" || {


     

       
36

       
 

       
          if grep -q \\\\\\$ "$zoneFile"; then


     

       
37

       
-

       
            echo zone "$zoneFile" contains escaped dollar signes \\\$


     

       
38

       
-

       
            echo Escaping them is not needed any more. Please make shure \


     

       
39

       
-

       
                 to unescape them where they prefix a variable name


     

       
40

       
 

       
          fi


     

       
41

       
 

       



     

       
42

       
 

       
          exit 1


     
···

       
44

       
 

       
      done


     

       
45

       
 

       



     

       
46

       
 

       
      echo "checking configuration file"


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
47

       
 

       
      ${nsdPkg}/sbin/nsd-checkconf $out/nsd.conf


     

       

       

       
     

       

       

       
     

       
48

       
 

       
    '';


     

       
49

       
 

       
  };


     

       
50

       
 

       



     
···

       
20

       
 

       



     

       
21

       
 

       
  mkZoneFileName = name: if name == "." then "root" else name;


     

       
22

       
 

       



     

       
23

       
+

       
  # replaces include: directives for keys with fake keys for nsd-checkconf


     

       
24

       
+

       
  injectFakeKeys = keys: concatStrings


     

       
25

       
+

       
    (mapAttrsToList


     

       
26

       
+

       
      (keyName: keyOptions: ''


     

       
27

       
+

       
        fakeKey="$(${pkgs.bind}/bin/tsig-keygen -a ${escapeShellArgs [ keyOptions.algorithm keyName ]} | grep -oP "\s*secret \"\K.*(?=\";)")"


     

       
28

       
+

       
        sed "s@^\s*include:\s*\"${stateDir}/private/${keyName}\"\$@secret: $fakeKey@" -i $out/nsd.conf


     

       
29

       
+

       
      '')


     

       
30

       
+

       
      keys);


     

       
31

       
+

       



     

       
32

       
 

       
  nsdEnv = pkgs.buildEnv {


     

       
33

       
 

       
    name = "nsd-env";


     

       
34

       
 

       



     
···

       
43

       
 

       
        echo "|- checking zone '$out/zones/$zoneFile'"


     

       
44

       
 

       
        ${nsdPkg}/sbin/nsd-checkzone "$zoneFile" "$zoneFile" || {


     

       
45

       
 

       
          if grep -q \\\\\\$ "$zoneFile"; then


     

       
46

       
+

       
            echo zone "$zoneFile" contains escaped dollar signs \\\$


     

       
47

       
+

       
            echo Escaping them is not needed any more. Please make sure \


     

       
48

       
+

       
                 to unescape them where they prefix a variable name.


     

       
49

       
 

       
          fi


     

       
50

       
 

       



     

       
51

       
 

       
          exit 1


     
···

       
53

       
 

       
      done


     

       
54

       
 

       



     

       
55

       
 

       
      echo "checking configuration file"


     

       
56

       
+

       
      # Save original config file including key references...


     

       
57

       
+

       
      cp $out/nsd.conf{,.orig}


     

       
58

       
+

       
      # ...inject mock keys into config


     

       
59

       
+

       
      ${injectFakeKeys cfg.keys}


     

       
60

       
+

       
      # ...do the checkconf


     

       
61

       
 

       
      ${nsdPkg}/sbin/nsd-checkconf $out/nsd.conf


     

       
62

       
+

       
      # ... and restore original config file.


     

       
63

       
+

       
      mv $out/nsd.conf{.orig,}


     

       
64

       
 

       
    '';


     

       
65

       
 

       
  };


     

       
66
+9
nixos/tests/nsd.nix 
···

       
43

       
 

       
      services.nsd.enable = true;


     

       
44

       
 

       
      services.nsd.rootServer = true;


     

       
45

       
 

       
      services.nsd.interfaces = lib.mkForce [];


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
46

       
 

       
      services.nsd.zones."example.com.".data = ''


     

       
47

       
 

       
        @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600


     

       
48

       
 

       
        ipv4 A 1.2.3.4


     
···

       
51

       
 

       
        ns A 192.168.0.1


     

       
52

       
 

       
        ns AAAA dead:beef::1


     

       
53

       
 

       
      '';


     

       

       

       
     

       
54

       
 

       
      services.nsd.zones."deleg.example.com.".data = ''


     

       
55

       
 

       
        @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600


     

       
56

       
 

       
        @ A 9.8.7.6


     
···

       
71

       
 

       
    clientv6.wait_for_unit("network.target")


     

       
72

       
 

       
    server.wait_for_unit("nsd.service")


     

       
73

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
74

       
 

       



     

       
75

       
 

       
    def assert_host(type, rr, query, expected):


     

       
76

       
 

       
        self = clientv4 if type == 4 else clientv6


     
···

       
43

       
 

       
      services.nsd.enable = true;


     

       
44

       
 

       
      services.nsd.rootServer = true;


     

       
45

       
 

       
      services.nsd.interfaces = lib.mkForce [];


     

       
46

       
+

       
      services.nsd.keys."tsig.example.com." = {


     

       
47

       
+

       
        algorithm = "hmac-sha256";


     

       
48

       
+

       
        keyFile = pkgs.writeTextFile { name = "tsig.example.com."; text = "aR3FJA92+bxRSyosadsJ8Aeeav5TngQW/H/EF9veXbc="; };


     

       
49

       
+

       
      };


     

       
50

       
 

       
      services.nsd.zones."example.com.".data = ''


     

       
51

       
 

       
        @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600


     

       
52

       
 

       
        ipv4 A 1.2.3.4


     
···

       
55

       
 

       
        ns A 192.168.0.1


     

       
56

       
 

       
        ns AAAA dead:beef::1


     

       
57

       
 

       
      '';


     

       
58

       
+

       
      services.nsd.zones."example.com.".provideXFR = [ "0.0.0.0 tsig.example.com." ];


     

       
59

       
 

       
      services.nsd.zones."deleg.example.com.".data = ''


     

       
60

       
 

       
        @ SOA ns.example.com noc.example.com 666 7200 3600 1209600 3600


     

       
61

       
 

       
        @ A 9.8.7.6


     
···

       
76

       
 

       
    clientv6.wait_for_unit("network.target")


     

       
77

       
 

       
    server.wait_for_unit("nsd.service")


     

       
78

       
 

       



     

       
79

       
+

       
    with subtest("server tsig.example.com."):


     

       
80

       
+

       
        expected_tsig = "  secret: \"aR3FJA92+bxRSyosadsJ8Aeeav5TngQW/H/EF9veXbc=\"\n"


     

       
81

       
+

       
        tsig=server.succeed("cat /var/lib/nsd/private/tsig.example.com.")


     

       
82

       
+

       
        assert expected_tsig == tsig, f"Expected /var/lib/nsd/private/tsig.example.com. to contain '{expected_tsig}', but found '{tsig}'"


     

       
83

       
 

       



     

       
84

       
 

       
    def assert_host(type, rr, query, expected):


     

       
85

       
 

       
        self = clientv4 if type == 4 else clientv6